Find Us Elsewhere

There is an unfortunate mis-perception among PHP programmers that having open (777) permissions on a file or folder is not a security risk for a website, or at worst only a minor one. The purpose of this article is to explain why this is wrong, that such permissions are dangerous to the security of your site. I will discuss this using the context of a Joomla website, but really the main points apply to any website.

If you know anything about the file system on a Linux web server, you will probably be aware of the system of file and folder permissions. I am not going to describe this in detail, if you want further information you can read about it here. However, broadly this system attaches a number to each file which controls how (and if) it can be read, written to, and executed. The first digit in the number refers to the permissions the file owner has over the file, the second digit refers to the permissions other users in the owner's group have, and the third digit refers to the permissions that anybody else on the same system has. The higher the number, the greater the permissions.

With permissions of 777 this means that anyone who is a user on the same server can read, write to and execute the file. In the case of a folder, anyone who is a user will be able to copy files to it. This obviously sounds dangerous if you are using a shared server for your website, which is the case for many personal and small business websites. Normally such servers host thousands of websites, meaning that there are thousands of users. For this reason, the normal safe permissions are considered to be 644 for a file and 755 for a folder. Depending on the way PHP is run on your server, PHP scripts will normally not run with permissions above 755 for security reasons.

However when writing applications that handle files ( for example an application which allows site users to upload images), PHP developers often like to change the relevant file and folder permissions to 777 in order to avoid problems with file manipulation that can sometimes arise from file ownership problems. It is unfortunately still quite common practice to create an open (777) uploads folder. The developers reason that PHP scripts will not normally run in such a folder, so that if an attacker were to exploit the permissions to upload a rogue script to your site, it would not run anyway, so there is no security risk. This is perfectly correct reasoning if you live in a techie ivory tower, but wrong and dangerous in reality. Here is why.

The first obvious flaw in this reasoning is that it overlooks the danger from non-PHP files. Open folder permissionis can make your site vulnerable to cross-site scripting (XSS) attack. There is a very good and clear account of how such attacks work here. These attacks are usually accomplished through malicious html and javascript, which could be copied to the open folder by a malicious user. Because javascript runs on the web client, disabling scripting in open folders on the web server will do nothing to protect against this type of attack. The impact of XSS attacks can be very serious, if you happen to be logged into your Joomla administrator account when you fall victim to the attack it can be used to steal your login cookie and through this gain access to your administrator account. In addition to XSS your site may also be vulnerable to a malicious user posting malware designed to be downloaded onto a visitor's computer (so-called 'drive-by downloads'), or the posting of stuff that is just plain nasty, such as extreme images.

Secondly, file and folder permissions may be changed over time. If an attacker is clever and patient they can use the open folder to upload a PHP script 'on spec' that provides a back door to your site. Of course it will probably not run at the moment but the attacker can wait. Perhaps they do this, then a few months later you as the site owner notice the open uploads folder permissions, decide that you don't want this and change the permissions to a safer 755. Perhaps you use the excellant admin tools extension if you are running a Joomla site, which will fix file and folder permissions for you. The problem with doing this, is that the uploaded malicious PHP script will now run! Fixing the file permissions has finished the job of hacking your site.

Most people do not know exactly which files should or should not be part of their site. Possibly they are not the person who developed it, there may have been a succession of people who have worked on it. In addition to the normal hundreds of Joomla files on most sites there will be several extensions also maybe consisting of hundreds of files plus probably one or two stand-alone scripts (themselves consisting of many files) performing specialist functions, also probably a certain number of junk files that no longer serve a useful purpose but once did. If the site owner looks in the uploads folder how are they going to know that the script file called for example thumbnails.php should not be there? It has a nice, reassuring name so is not likely to be dangerous - so they think anyway. For all they know it could be doing something important so they cannot just remove it. This is the problem in the real world.

I do not think that it is ever acceptable for a PHP developer to create an open folder or file and leave it like that. If you are a PHP developer and you really want 777 permissions in order to handle file operations, use chmod to change the permissions temporarily. Then, when you have finished your operation, change them back again. Do this even if you think that you have deleted the file, just in case you haven't. Any open folder is a potential entry point for an attacker, even if you think it is not exploitable. There are some very clever people out there who make it their business to find weaknesses in websites, some of them are certainly cleverer than you - and me.